httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: T&R of 2.4.24
Date Tue, 13 Dec 2016 02:04:04 GMT
On Dec 12, 2016 7:44 PM, "Daniel Ruggeri" <DRuggeri@primary.net> wrote:


On 12/12/2016 12:26 AM, William A Rowe Jr wrote:
> In spite of 34 registered project committee members, until other
> contributors come forward to participate in the security patch review
> process, we may simply have to declare all further efforts are currently
> on pause.

Does one have to be on PMC to review security patches? If not, can you
give me a general idea on volume? This would be something I think
$dayjob would be OK with me doing as part of keeping a shirt on my back
and roof over the childrens' heads ;-)


This is something our httpd security team has revisited a few times over
the past few years.

To be on *httpd* security list, we require a certain level of trust. In the
past, this was based on PMC membership. We have since tweaked things to
bring in proven committers who are not yet on the PMC.

Also, all ASF Members have access to private archived lists; this includes
any PMC private lists and security lists across the foundation.

In terms of volume, there are only a handful of security issues per year,
from none to a dozen, but many dozens of reports we have to evaluate and
filter. It often takes probing questions of the reporter to distinguish
their defect report from a vulnerablity, or to quantify and qualify the
exposure and risk.

The ASF-wide list is another beast, it is a massive spam trap, exceeding
dozens of garbage messages per day, to capture about a dozen legitimate
messages a day, and only a tiny handful of new inbound messages a day that
are dispatched to the appropriate PMC's team. That list does require ASF
Membership to volunteer because it has full visibility into most every
defect.

Mime
View raw message